Related Case Studies

Please Fill Out Form

to Request Document

To stay updated about the latest Futurex news, products, services, and events via occasional e-mails from us, select YES below. You can unsubscribe at any time.

Yes, please keep me updated via e-mail.

Please Fill Out Form

to Request Document

Required Fields*

Email *

To stay updated about the latest Futurex news, products, services, and events via occasional e-mails from us, select YES below. You can unsubscribe at any time.

Yes, please keep me updated via e-mail.

Organizations storing credit card numbers and other sensitive data have important security responsibilities, including strict compliance requirements under PCI DSS. Vaultless tokenization from Futurex, available on-premises or on the cloud, allows merchants and other organizations to reduce their regulatory compliance scope, decreasing costs and enhancing their overall security posture.

What is Tokenization?

Tokenization is a method of protecting sensitive data, typically credit card numbers, by using randomly generated substitute characters as placeholder data. These random characters, known as tokens, have no intrinsic value, but they allow authorized users to retrieve the sensitive data when needed. If tokenized data is lost or stolen, it is useless to cybercriminals. Furthermore, for organizations charged with safeguarding information in accordance with mandated compliance standards such as Payment Card Industry Data Security Standards (PCI DSS), it can serve as a useful way to reduce compliance scope and simplify auditing.

Vaultless tokenization is safer and more efficient. Futurex’s primary tokenization platform, the Key Management Enterprise Server (KMES) Series 3, uses a FIPS 140-2 Level 3 compliant Secure Cryptographic Device to tokenize data. This data can then be detokenized, returning the appropriate portion of clear data, for use by authorized parties or applications. In this model, there is no token vault or centralized token database to maintain.

Supports Tokenization for Personally Identifiable Information (PII)

In addition to supporting credit card, or primary account number (PAN) tokenization, Futurex also supports personally identifiable information (PII) tokenization. PII tokenization is applicable to virtually every industry, for data types such as social security numbers, birth dates, passport numbers, and account numbers. Futurex's tokenization interface, offered as network-level and REST APIs, allows the KMES Series 3 to easily integrate into a variety of different environments.

Reduced PCI DSS Compliance Scope and Cost

Tokenization is a secret weapon for organizations with heavy compliance burdens. Financial institutions, for instance, are often responsible for securing millions of account holder credentials in data infrastructures that are subject to PCI DSS regulations. Tokenizing as much data as possible allows these organizations to ease their compliance burdens, as tokens are not generally within the scope of audits.

Format-Preserving Encryption Eliminates Database Changes

Futurex vaultless tokenization uses a method of format preserving encryption that retains the format of the original text if desired. This allows tokenization to be easily implemented without changes to database structure or application formatting. For example, an untokenized 16 character PAN would be tokenized as 16 random numeric characters.

On-Premises or Cloud-Based Deployment Models

The KMES Series 3 is Futurex’s most robust tokenization platform. It is FIPS 140-2 Level 3 and PCI HSM 2.x compliant and is equipped with a variety of features for customized output and detokenization. The VirtuCrypt Hardened Enterprise Security Cloud, powered by Futurex hardware, offers a Tokenization-as-a-Service platform for organizations preferring the cloud over on-premises hardware.

Without Tokenization

Organizations not using tokenization who store cardholder data are within the full scope of a PCI DSS audit. All databases and applications storing clear-text PAN data must be audited.

Using Vaultless Tokenization

Using vaultless tokenization, clear cardholder data is tokenized before storage, which allows organizations to consolidate their compliance scope into a much smaller footprint.

Customized, Role-Specific Detokenization

The information security principle of
least privilege dictates that organizations limit access to sensitive data to solely what an individual needs to do their job. Any additional access is an unnecessary exposure of sensitive data. Intelligence agencies have operated under this principle of “need to know access” for years. This reduces the risk of data breaches of both the accidental and intentional varieties. Customizing detokenization output based on user or application role is one way to accomplish this.

With the customization options available in the KMES Series 3, administrators can control exactly how much detokenized data any one employee or application is able to view. For example, loyalty applications may find a partially detokenized account number, perhaps just the last four digits of a credit card number, sufficient to do their job, while an e-commerce application would likely require a fully detokenized account number for repeat purchases. Still other applications, like business analytics, may be able to use the token itself as an identifier without any need to ever detokenize it. Futurex’s vaultless tokenization allows these options to be customized for all parties and managed from a central location.